MERCUR Mailserver advisory/remote exploit

2002-07-19T00:00:00
ID SECURITYVULNS:DOC:3233
Type securityvulns
Reporter Securityvulns
Modified 2002-07-19T00:00:00

Description

2c79cbe14ac7d0b8472d3f129fa1df55 Security Adisory #3

PRODUCT

Atrium Software International's MERCUR Mailserver, All Versions

DESCRIPTION

MERCUR Mailserver's Control-Service, installed and activated by default on port 32000, is vulnerable to the classic buffer overflow on it's password argument.. an exploit for MERCUR 4.2 (current) is included and it has been tested against both win2k and winxp pro..

<260 bytes><EBP><EIP>

as you can see, I'm too lazy to write my own shellcode to fit in that wee little 260 byte buffer.. and we can't choose the right side as anything over a few bytes will end up overwriting what will become the contents of ECX prior to our target RET, causing an early exception.. so a sexy little trick is in order..

we just abuse the fact that an invalid username, one of a very large length, is copied and stays resident in local memory when we overrun the password buffer.. sizing these two buffers correctly, and we can have them overlap each other, allowing us to jump from the password buffer to our payload (username buffer) easily.. YIPPPEE!@!#

FIX/PATCH/WORKAROUND

no patch this time, as a workaround is simple.. MERCUR allows you to restrict access to each service individually under the Security -> Firewall options.. 32000 should be restricted on default, and I would guess it soon may be..

sorry about the winamp patch, who the hell knew winrar uses a proprietary zip format..

symantec's #1 fan, 2c79cbe14ac7d0b8472d3f129fa1df55


Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com